Thank you for helping keep StorySparkAI and its users safe. We take security seriously and appreciate responsible disclosure from the community.
- Supported Versions
- Reporting a Vulnerability
- What to Include in Your Report
- Our Response Process
- Disclosure Policy
- Scope
- Out of Scope
- Security Best Practices for Contributors
- Known Security-Sensitive Areas
- Hall of Thanks
We actively maintain and apply security fixes to the following versions:
| Version / Branch | Supported |
|---|---|
main (latest) |
✅ Actively supported |
| Older branches | ❌ Not supported — please upgrade |
Only the main branch receives security patches. If you are running a forked or older version, we strongly recommend syncing with main.
Please do NOT report security vulnerabilities through public GitHub issues.
Public disclosure before a fix is in place puts all users of StorySparkAI at risk. Instead, please use one of the following private channels:
Use GitHub's built-in private reporting feature:
- Go to the Security Advisories page
- Click "Report a vulnerability"
- Fill in the details and submit
This keeps the report completely private between you and the maintainers until a fix is ready.
If you prefer email, contact the project maintainer directly:
Use the subject line: [SECURITY] StorySparkAI Vulnerability Report
Please encrypt sensitive details if possible. We will acknowledge your report within 48 hours.
A good vulnerability report helps us reproduce and fix the issue faster. Please include:
- Description — A clear explanation of the vulnerability and its potential impact
- Affected component — Frontend, backend, authentication, API, etc.
- Steps to reproduce — Numbered steps that allow us to reproduce the issue
- Proof of concept — Code snippets, screenshots, or a screen recording (if safe to share)
- Expected vs actual behavior — What should happen vs what actually happens
- Suggested fix — Optional, but very welcome
- Your environment — Browser, OS, Node.js version, etc.
The more detail you provide, the faster we can act.
Once you submit a report, here is what to expect:
| Timeline | Action |
|---|---|
| Within 48 hours | We acknowledge receipt of your report |
| Within 5 days | We confirm whether the issue is valid and assess severity |
| Within 14 days | We aim to have a patch ready for valid high/critical issues |
| Within 30 days | We aim to resolve all valid reported issues |
| After fix is released | We coordinate public disclosure with you |
We will keep you updated throughout the process and credit you in the release notes (unless you prefer to remain anonymous).
We follow a coordinated disclosure model:
- You report the vulnerability privately
- We investigate and develop a fix
- We release the fix
- We publicly disclose the vulnerability (after the fix is live), crediting you if you wish
We ask that you:
- Give us a reasonable amount of time to fix the issue before any public disclosure
- Avoid exploiting the vulnerability beyond what is needed to demonstrate it
- Do not access or modify other users' data without explicit permission
The following are in scope for security reports:
- JWT token issues (weak secrets, missing expiry, algorithm confusion)
- Google OAuth misconfiguration or token leakage
- OTP verification bypass or brute-force vulnerabilities
- Missing or broken authentication guards on protected routes
- Session fixation or session invalidation failures after password reset
- Privilege escalation (e.g., regular user accessing admin endpoints)
- Injection attacks (SQL, NoSQL/MongoDB injection, command injection)
- Broken access control on REST API endpoints
- Sensitive data exposure in API responses (passwords, tokens, keys)
- Missing rate limiting on authentication or sensitive endpoints
- Insecure direct object references (IDOR)
- Broken error handling that leaks stack traces or internal details
- Server-Side Request Forgery (SSRF)
- Cross-Site Scripting (XSS) — stored, reflected, or DOM-based
- Cross-Site Request Forgery (CSRF)
- Sensitive data (API keys, tokens) exposed in client-side code or
.envfiles - Open redirects
- Clickjacking vulnerabilities
- MongoDB misconfiguration or unauthorized data access
- Exposure of user PII (names, emails, passwords)
- Insecure storage of secrets or credentials
- Prompt injection attacks that manipulate AI-generated story output maliciously
- Leakage of AI API keys through responses or client bundles
- Exposed
.envfiles or secrets committed to the repository - Misconfigured CORS policy allowing unauthorized origins
- Security headers missing (CSP, HSTS, X-Frame-Options, etc.)
The following are not considered valid security reports for this project:
- Vulnerabilities in third-party services (MongoDB Atlas, Vercel, Google OAuth infrastructure itself)
- Social engineering attacks targeting maintainers
- Physical security issues
- Denial of Service (DoS) via excessive requests without authentication context
- Missing security headers on third-party CDN resources
- Self-XSS that requires the attacker to already have control of their own browser
- Spam or automated account creation without demonstrated impact
- Theoretical vulnerabilities without a working proof of concept
- Issues in outdated browsers or unsupported environments
- Findings from automated scanners with no manual verification or context
If you are contributing code to StorySparkAI, please follow these guidelines:
- Never commit
.envfiles, API keys, JWT secrets, or database credentials - Use
.env.examplewith placeholder values for documentation - All secrets must be injected via environment variables — never hardcoded
- Always validate and sanitize user input on both frontend and backend
- JWT tokens must have a reasonable expiry (
expiresIn) - Refresh token rotation should invalidate old tokens on use
- Always verify OTP server-side — never trust client-side OTP checks
- Apply authentication middleware to all protected routes
- Validate request body schemas (use libraries like
zodorjoi) - Never expose raw MongoDB
_idfields or internal error stack traces in API responses - Apply rate limiting to login, signup, OTP, and password-reset endpoints
- Keep
npmdependencies up to date - Run
npm auditregularly and address high/critical findings before opening a PR - Do not add dependencies with known unpatched vulnerabilities
- Never store JWT tokens in
localStorage— preferhttpOnlycookies or memory - Sanitize any user-generated content before rendering it in the DOM
- Do not expose backend URLs, API keys, or secrets in the Vite client bundle
The following areas of the codebase handle sensitive logic and deserve extra care during review and contribution:
| Area | Sensitivity | Notes |
|---|---|---|
| Authentication controllers and middleware | 🔴 High | Login, signup, Google OAuth, OTP handling |
| JWT utility / helper modules | 🔴 High | Token generation, signing, and verification |
| User controller / profile management | 🟠 Medium | User deletion, profile updates, account actions |
| Signup / Login frontend pages | 🟠 Medium | Form validation, password handling, token storage |
Environment configuration files (.env) |
🔴 High | Must never be committed — contains API keys and secrets |
| AI story generation endpoints | 🟠 Medium | Prompt injection surface — sanitize all user input |
We sincerely thank everyone who has responsibly disclosed security issues to us. Your efforts make StorySparkAI safer for everyone.
No disclosures yet — be the first! 🛡️
This security policy is inspired by best practices from GitHub's recommended security policy template and the OWASP Vulnerability Disclosure Cheat Sheet.